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with the entries (and data structures updated as required). corresponding to the item is identified, such as by, but not 

Processing is complete as indicated by process block 712. limited to a lookup operation in a data structure, associative 

FIG. 7B illustrates a process for identifying a highest memory, or by any other means or mechanism. Then, in 

priority result used in one embodiment. Processing begins process block 826, the identified accounting mechanism is 

with process block 750, and proceeds to process block 752, 5 updated. Processing is complete as indicated by process 

wherein results are received from the associative memories, block 828. 

blocks, etc. (including possibly from previous stages). In FIG. 8D illustrates one embodiment of a system for 

process block 754, the priority values are associated with the updating an accounting value based on that defined by an 

results (e.g., based on the entries, memories, blocks, etc.). In access control list or other mechanism. Packets 831 are 

process block 756, the highest priority result is (or in one 10 received and processed by packet processor 832 to generate 

embodiment, results are) identified based on the inherent or packets 839. In one embodiment, packet processor 832 

programmed priority values. The hierarchy (e.g., the order performs a lookup operation in a forwarding information 

they are considered) of types of priority values (e.g., those base (FIB) data structure to identify the source and/or 

associated with the entries, banks, memories, etc.) can vary destination autonomous system number associated with the 

among embodiments and even among individual lookup is identified packet. 

operations. In process block 758, the highest priority result Based on an identified packet, autonomous system num- 

is (or results are) identified. Processing is complete as bers, and/or other information, a lookup value 833 is iden- 

indicated by process block 759. ^ tified. FIG. 9G illustrates a lookup value 960 used in one 

FIGS. 8A-G illustrate access control lists, processes, embodiment. Onexnibodiment uses all, less than all, or none 

mechanisms, data structures, and/or other aspects of some of 20 of fields 960^^9061/^—— 

an unlimited number of systems employing embodiments Based on lookup ^lue 833, a lookup operation is per- 

for updating counters or other accounting devices, or for formed in associative memory entries 834 in one or more 

performing other functions. Shown in FIG. 8A is an access associative memoiy banks and/or one or more associative 

control list 800 which defines accounting information to be memories to generate a coimter indication 835. The corre- 

collected in a counting mechanism one by statement 801 for 25 sponding counting mechanism within counters and decoder/ 

access control list entries 803 and in a counting mechanism control logic 836 is updated. Counter values 837 are typi- 

two by statement 802 for access control list entries 804. cally communicated via any communication mechanism 

Note, there are multiple access control entries in that will and/or technique to packet processor 832 or another device 

cause a same counting mechanism to be adjusted. Also, the to be forwarded or processed. 

value that a particular counter is adjusted can be one (e.g., 30 FIG. 8E illustrates one embodiment of a system for 

corresponding to one item or packet), a byte count (e.g., a updating an accounting value based on that defined by an 

size of an item, packet, frame, or datagram) or any other access control list or other mechanism. Packets 840 are 

value. received and processed by packet processor 841 to generate 

FIG. 8B illustrates a process used in one embodiment to packets 849. In one embodiment, packet processor 841 

configure a mechanism for accumulating information based 35 performs a lookup operation in a forwarding information 

on access control entries. Note, this embodiment may be base (FIB) data structure to identify the source and/or 

responsive to and/or implemented in computer-readable destination autonomous system number associated with the 

medium (e.g., sofhvare, firmware, etc.), custom hardware identified packet. 

(e.g., circuits, ASICs, etc.) or via any other means or Based on an identified packet, autonomous system num- 

mechanism, such as, but not limited to that disclosed herein. 40 bers, and/or other information, a lookup value 842 is iden- 

For example, one embodiment uses a system described tified. FIG. 9G illustrates a lookup value 960 used in one 

herein, and/or illustrated in FIGS. lA-B, 2- 8D-8E, 9A, embodiment. Ojiejen^odiment uses all, less than all, or none 

9C-D, and/or any other figure. of fields 960J^906L)^ ^ 

Processing of the flow diagram illustrated in FIG. 8B Based on loo^Upvalue 842, a lookup operation is per- 

begins with process block 810, and proceed to process block 45 formed in associative memory entries 843 in one or more 

812, wherein an access control list is identified. Typically, associative memory banks and/or one or more associative 

the access control list includes multiple access control list memories to produce a lookup result 844, which is then used 

entries, with a subset of these entries identifying accounting to perform a lookup operation in adjunct memory 845 

requests. Next, in process block 814, accounting mecha- generate a counter indication 846, and the corresponding 

nisms are associated with each of the access control list 50 counting mechanism within counters and decoder/control 

entries specifying accounting requests. Typically, but not logic 847 is updated. In one embodiment, adjunct memory 

always, at least one of the accounting mechanisms is asso- 845 stores counter indications for corresponding locations of 

ciated with at least two different access control list entries. access control list entries programmed in associative 

Processing is complete as indicated by process block 816. memory 843, and some of these counter indications may be 

FIG. 8C illustrates a process used in one embodiment for 55 the same value such that a same counting mechanism is 

updating an accounting mechanism based on an item, such updated for different matching access control list entries, 

as, but not limited to one or more fields or values associated Counter values 848 are typically communicated via any 

with a packet. Processing begins with process block 820, communication mechanism and/or technique to packet pro- 

and proceeds to process block 822, wherein an item is cesser 841 or another device to be forwarded or processed, 
identified. The identification of an item might include iden- 60 FIG. 8F illustrates an example of associative memory 

tifying an autonomous system number corresponding to the entries 860 and corresponding adjunct memory entries 870, 

packet. Note, an autonomous system number is typically such as those are generated by one embodiment based on 

associated with a set of communication devices under a access control list entries 803 and 804 (FIG. 8A). As shown, 

single administrative authority. For example, all packets sent associative memory entries 861-863 have the same counter 

from an Internet Service Provide typically are associated 65 indication in adjunct memory entries 871--873, while asso- 

with a same autonomous system number. Next, in process ciative memory entry 864 has a different corresponding 

block 824, a particular one of the accounting mechanisms counter indication in adjunct memory entry 874. In one 
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embodiment, associative memory entries include fields for a tially simultaneously in adjunct memories to produce the 

source address, destination address, and other fields, such as, lookup resuhs which then can be merged to produce the 

but not limited to autonomous system numbers (ASNs), mei^ed result. The respective priorities of the lookup results 

protocol type, source and destination port information, etc. may be implicit based on that corresponding to their respec- 

In one embodiment, adjunct memory entries 870 include an 5 tive associative memory banks and/or adjunct memories, or 

indication of a counting mechanism and/or other values be specified, such as in the associative memory entries, from 

which may be used for other purposes (e.g., security, rout- another data structure lookup operation, or identified using 

ing, policing, quality of service, etc.). any other manner or mechanisni. 

FIG. 8G illustrates a process used in one embodiment for For example, one embodiment includes four associative 
processing a packet. Processing begins with process block 10 memory banks for supporting one to four features. An 
880, and proceeds to process block 882, wherein a packet is associative memory lookup operation is performed in par- 
identified. Next, in process block 884, one or more forward- allel on the four banks and then in the adjunct memories 
ing information base (FIB) lookup operations are performed (SRAMs), which indicate the action, type of entry (e.g., 
to identify source and destination autonomous system num- ACL, QoS, Accounting), and precedence for combiner 
bers corresponding to the identified packet. In process block is mechanism. The combiner mechanism merges the results to 
886, an accounting lookup value is identified, typically get the final merged result. A miss in an ACL lookup in a 
based on information contained in the identified packet and bank is treated as a permit with lowest precedence. If in 
the source and destination ASNs. In process block 888, a more than one bank there is a hit with same specified 
lookup operation is performed in one or more associative precedence in the retrieved adjunct memory entry, the pre- 
memory banks and possibly in corresponding one or more 20 cedence used by the combiner mechanism is determined 
adjunct memories to identify a counter indication. In process based on the implied or specified precedence of the asso- 
block 890, the counter, if any, corresponding to the counter ciative memory bank. If there is a miss in all the banks, 
indication is updated by some static or dynamic value. default result is used from global registers. A similar mei^ge 
Processing is complete as indicated by process block 892. operation is performed for the QoS and accounting lookup 

FIG. 9A illustrates one embodiment of a system for 25 results, 

identifying a merged lookup result. Packets 901 are received FIG. 9C illustrates a lookup and merge mechanism 920 

and processed by packet processor 902 to generate packets used by one embodiment. One or more of associative 

909. In one embodiment, packet processor 902 performs a memory banks 921A-921C (there can be any number of 

lookup operation in a forwarding information base (FIB) banks) are programmed with associative memory entries of 

data structure to identify the source and/or destination 30 a same access control list type, with different feaUires of the 

autonomous system number associated with the identified type programmed into a different one of the associative 

packet. memory banks 921A-921C. Corresponding adjunct 

Based on an identified packet, autonomous system num- memory entries 922A-922C are progranuned in one or more 

bers, and/or other information, a lookup value 903 is iden- adjunct memories. Thus, lookup operations can be per- 

tified. FIG. 9G illustrates a lookup value 960 used in one 35 formed substantially simultaneously on associative memory 

embodiment.X)ne emb odiment uses all, less than all, or none banks 921 A-C to generate results, which are used to identify 

of fields 960^^61^ corresponding lookup results from adjunct memory entries 

Based on looKUpvalue 903, a lookup operation is per- 922A-922C, which are then merged by combiner mecha- 

formed in associative memory entries 904 (e.g., access nism 923 to generate the merged result 924. 

control list, security, quality of service, accounting entries) 40 FIG. 9D is substantially similar to that of FIG. 9C, but 

in multiple associative memory banks and/or one or more illustrates that multiple merged results corresponding to 

associative memories to generate a resuhs 905, based on multiple access control list entry types can be generated in 

which, memories 906 generate results 907. Combiner parallel (e.g., substantially simultaneously). As shown, 

mechanism 910 merges results 907 to produce one or more lookup and merge mechanism 920, used by one embodi- 

merged results 911, which are typically used by packet 45 ment, is programmed with features sets of a same type in 

processor 902 in the processing of packets. In one embodi- associative memory banks 931A-931B (there can be any 

ment, combiner mecharusm 910 includes a processing ele- number of banks), and of a different type in associative 

ment responsive to computer-readable medium (e.g., soft- memory banks 931C-931D (there can be any number of 

ware, firmware, etc.), custom hardware (e.g., circuits, banks). Corresponding adjunct memory entries 932A-932D 

ASICs, etc.) and/or via any other means or mechanism. In 50 are progranuned into one or more adjunct memories. Thus, 

one embodiment, a merged result 911 includes a counter lookup operations can be performed substantially simulta- 

indication which is used by counters and decoder/control neously on associative memory banks 921A-D to generate 

logic 912 to update a value. The accumulated accounting results, which are used to identify corresponding lookup 

values 913 are typically conununicated to packet processor results from adjunct memory entries 922A-922D, which are 

902 or another device, 55 then merged by combiner mechanism 933 to generate the 

FIG. 9B illustrates an access control list 915, including multiple merged results 934 (e.g., typically one or more 

access control list entries of multiple features of a same type. merged result per access control list type). 

For example, entries 916 correspond to security entries such FIG. 9E illustrates a process used in one embodiment to 

as the packet that should be dropped or processed, while program the associative and adjunct memories in one 

entries 917 correspond to packets that should or should not 60 embodiment. Processing begins with process block 940, and 

be sent to a mechanism to encrypt the packet. Different proceeds to process block 941, wherein an access control list 

associative memories are each programmed with associative including multiple access control list entries is identified. In 

memory entries corresponding to a different one of the process block 942, a first set of the access control list entries 

feamres. A lookup operation is then performed substantially corresponding to a first feature of the access control list 

simultaneously on each of feature sets of associative 65 entries is identified. In process block 943, a first associative 

memory entries to generate associative memory results, memory bank and a first adjunct memory are programmed 

which are then used to perform lookup operations substan- with entries corresponding to the first set of access control 

I1R22 7^^'' 
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list entries. In process block 944, a second set of the access 
control list entries corresponding to a second feature of the 
access control list entries is identified. In process block 945, 
a second associative memory bank and a second adjunct 
memory are programmed widi entries corresponding to the 
second set of access control list entries. The first set of 
associative memory entries have a higher lookup precedence 
than the second set of associative memory entries. Process- 
ing is complete as indicated by process block 946. 

FIG. 9F illustrates a process used by one embodiment to 
perform lookup operations and to identify the merged result. 
Processing begins with process block 950, and proceeds to 
process block 951, wherein a lookup value is identified. 
Next, in process block 952, lookup operations are performed 
in the first and second associative memory banks and 
adjunct memories to generate first and second lookup 
results, which are merged in process block 953 to identify 
the merged result. Processing is complete as indicated by 
process block 954. 

FIG. 9G illustrates a lookup value 960, resuh value 965, 
and merged result value 967 used in one embodiment. As 
shown, lookup value 960 includes a lookup type 960A, 
source address 960B, destination address 960C, source port 
960D, destination port 960E, protocol type 960F, source 
ASN 960G, destination ASN 960H, and possibly other fields 
9601. One embodiment uses all, less than all, or none of 
fields 960A-9601. 

As shown, result value 965 includes a result type 965A, 
an action or counter indication 965B, and a precedence 
indication 965C. In one embodiment, result value 965 is 
programmed in the adjunct memories. One embodiment 
uses all, less than all, or none of fields 965A-965C. 

As shown, merged result value 967 includes a resuU type 
967A and an action or counter indication 967B. One 
embodiment uses all, less than all, or none of fields 
967A-967B. 

FIGS. 9H-9J illustrate merging logic truth tables 970, 
972, and 974 for generating the merged result. In one 
embodiment, the merge result of a security lookup operation 
is illustrated in security combiner logic 970, and is based on 
the results of up to four substantially simultaneous (or not) 
lookup operations with differing precedence indicated in 
columns 970A-970D, with the corresponding merged result 
shown in column 970E. Note, the " — " in the fields indicate 
a don't care condition as a merged resuh corresponding to a 45 
higher priority will be selected. 

In one embodiment, the merge result of a Quality of 
Service (QoS) lookup operation is illustrated in security 
combiner logic 972, and is based on the results of a 
previously merged security lookup operation and up to four 50 
substantially simultaneous (or not) lookup operations with 
differing precedence indicated in columns 972A~-970E, with 
the corresponding merged result shown in column 972F. 

In one embodiment, the merge result of an accounting 
lookup operation is illustrated in accounting combiner logic 
972, and is based on the results of a previously merged 
security lookup operation and up to four substantially simul- 
taneous (or not) lookup operations with differing precedence 
indicated in columns 974A-974E, with the corresponding 
merged result shown possibly identifying a counter to be 
updated in column 972F. 

FIG. 9K illustrates a process used in one embodiment, to 
generate a security merged result, a QoS merged resuh, and 
an accounting merged resuh. Processing begins with process 
block 980, and proceeds to process block 981, wherein a 
packet is identified. Next, in process block 982, one or more 
FIB lookup operations are performed to identify source and 
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destination ASNs. In process block 983, a security lookup 
value is identified. In process block 984, lookup operations 
are performed based on the security lookup value in multiple 
associative memory banks and one or more adjunct memo- 
ries to identify multiple security results, which are merged in 
process block 985 to identify the merged security result. 
Also, this merged security resuh is stored in a data structure 
or otiier mechanism for use in identifying the merged QoS 
and accounting results. 

In process block 986, the QoS lookup value is identified. 
In process block 987, lookup operations are performed 
based on the QoS lookup value in muhiple associative 
memory banks and one or more adjunct memories to iden- 
tify multiple QoS resuUs, which, in process block 988, are 
merged along with the previously determined merged secu- 
rity resuh to identify the merged QoS result. 

In process block 989, the accounting lookup value is 
identified. In process block 990, lookup operations are 
performed based on the accounting lookup value in multiple 
associative memory banks and one or more adjunct memo- 
ries to identify multiple accounting results, which, in process 
block 991, are merged along with the previously determined 
merged security result to identify the merged accounting 
result. Also, an identified counter or other accoimting 
mechanism is updated. Processing is complete as indicated 
by process block 992. 

In view of the many possible embodiments to which the 
principles of our invention may be applied, it will be 
appreciated that the embodiments and aspects thereof 
described herein with respect to the drawings/figures are 
only illustrative and should not be taken as limiting the 
scope of the invention. For example and as would be 
apparent to one skilled in the art, many of the process block 
operations can be re-ordered t0 be performed before, after, 
or substantially concurrent with other operations. Also, 
many different forms of data structures could be used in 
various embodiments. The invention as described herein 
contemplates all such embodiments as may come within the 
scope of the following claims and equivalents thereof 

What is claimedis; s,^— 

1. A method foi (^indentifyingy merged lookup resuh, the 
method comprising: 

identifying an access control list including a plurality of 
access control list entries; 

identifying a first set of access control list entries corre- 
sponding to a first feature of said plurality of access 
control list entries; 

programming a first associative memory bank and a first 
adjunct memory with first associative memory entries 
corresponding to the first set of access control list 
entries 

identifying a second set of access control list entries 
corresponding to a second feature of said plurality of 
access control list entries; and 
programming a second associative memory bank and a 
second adjunct memory with second associative 
memory entries corresponding to the second set of 
access control list entries; 
wherein said first associative memory entries have a 
higher lookup precedence than said second associative 
memory entries. 

2. The method of claim 1, comprising: 
identifying a lookup value; 

performing lookup operations in the first associative 
memory bank and the first adjunct memory to generate 
a first lookup result; 
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the identified accounting mechanism is updated. Processing is complete as indicated by 
process block 828. 

FIG. 8D illustrates one embodiment of a system for updating an accounting value 

based on that defined by an access control list or other mechanism. Packets 831 are 

5 received and processed by packet processor 832 to generate packets 839. hi one 

embodiment, packet processor 832 perforais a lookup operation m a forwarding 

information base (FB) data structure to identify the source and/or destination 

autonomous system number associated witii the identified packet. 

Based on an identified packet, autonomous system numbers, and/or other 

1 0 information, a lookup value 833 is identified. FIG. 9G illustrates a lookup value 960 used 

in one embodiment. One embodiment uses all, less tiian all, or none of fields 960A^60I. , 

Based on lookup value 833, a lookup operation is perfonned in associative ^ 

memory entries 834 in one or more associative memory banks and/or one or more ^ 

associative memories to generate a counter indication 835. The corresponding counting 

1 5 mechanism within counters and decoder/control logic 836 is updated. Counter values 837 

are typically communicated via any communication mechanism and/or technique to 

packet processor 832 or anotiier device to be forwarded or processed. 

FIG. 8E illustrates one embodiment of a system for updating an accounting value 

based on that defined by an access control list or otiier mechanism. Packets 840 are 

20 received and processed by packet processor 841 to generate packets 849. hi one 

embodiment, packet processor 841 performs a lookup operation in a forwardmg 

information base (FIB) data structure to identify tiie source and/or destination 

autonomous system number associated with the identified packet. 

Based on an identified packet, autonomous system numbers, and/or otiier /^T) 

25 information, a lookup value 842 is identified. FIG. 9G illustrates a lookup value 960 used %^y^ i n 

in one embodiment. One embodiment uses all, less tiian all, or none of fields 960/1^60^^ j ^ 

Based on lookup value 842, a lookup operation is perfonned in associative ^ 
memory entries 843 in one or more associative memory banks and/or one or more /3 

33 
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corresponding one or more adjunct memories to identify a counter indication. In process 
block 890, the counter, if any, corresponding to the counter indication is updated by some 
static or dynamic value. Processing is complete as indicated by process block 892. 

FIG. 9A illustrates one embodiment of a system for identifying a merged lookup 
5 result. Packets 901 are received and processed by packet processor 902 to generate 
packets 909. In one embodiment, packet processor 902 perfonns a lookup operation in a 
forwarding information base (FIB) data structure to identify the source and/or destination 
autonomous system number associated with the identified packet. 

Based on an identified packet, autonomous system numbers, and/or other /"''"^ 

1 0 information, a lookup value 903 is identified. FIG. 9G illustrates a lookup value 960 used ^ 
in one embodiment. One embodiment uses all, less than all, or none of fields 960^^%W^ t^f^'^ ^ ^ 

Based on lookup value 903, a lookup operation is performed in associative Q^l- ^ ^ 

memory entries 904 (e.g., access control list, security, quality of service, accounting f^)^ 3 7 • 
entiles) in multiple associative memory banks and/or one or more associative memories 

1 5 to generate a results 905, based on which, memories 906 generate results 907. Combiner 
mechanism 910 merges results 907 to produce one or more merged results 91 1, which are 
typically used by packet processor 902 in the processing of packets. In one embodiment, 
combiner mechanism 910 includes a processing element responsive to computer-readable 
medium (e.g., software, firmware, etc.), custom hardware (e.g., circuits, ASICs, etc.) 

20 and/or via any other means or mechanism. ]n one embodiment, a merged result 91 1 

includes a counter indication which is used by counters and decoder/control logic 912 to 
update a value. The accumulated accounting values 913 are typically communicated to 
packet processor 902 or another device. 

FIG. 9B illustrates an access contix)l list 915, including access control list entries 

25 of multiple featiu-es of a same type. For example, entries 916 correspond to security 
entries such as the packet that should be dropped or processed, while entries 917 
correspond to packets that should or should not be sent to a mechanism to encrypt the 
packet. Different associative memories are each programmed with associative memory 
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Listing of Claims; 

Claims 1-3 (cancelled) 

Claim 4 (currently amended): A method fo^ide ^ merged lookup result, the 

method comprising: (J]/\si^ */ ^ 

identifying an access control list including a plurality of access control list entries; 

identifying a first set of access control list entries corresponding to a first feature of 
said plurality of access control list entries; 

programming a first associative memory bank and a first adjunct memory with first 
associative memory entries corresponding to the first set of access control list entries 

identifying a second set of access control list entries corresponding to a fifst second 
feature of said plurality of access control list entries; and 

programming a second associative memory bank and a second adjunct memory with 
second associative memory entries corresponding to the second set of access control list 
entries; 

wherein said first associative memory entries have a higher lookup precedence than 
said second associative memory entries. 
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